updating files for lxc container and ipv6
This commit is contained in:
@@ -1,39 +1,37 @@
|
|||||||
|
{ config, modulesPath, pkgs, lib, ... }:
|
||||||
{
|
{
|
||||||
config,
|
|
||||||
lib,
|
|
||||||
pkgs,
|
|
||||||
...
|
|
||||||
}: {
|
|
||||||
imports = [
|
imports = [
|
||||||
./hardware-configuration.nix
|
(modulesPath + "/virtualisation/proxmox-lxc.nix")
|
||||||
./matrix.nix
|
./matrix.nix
|
||||||
];
|
];
|
||||||
|
nix.settings = { sandbox = false; };
|
||||||
|
proxmoxLXC = {
|
||||||
|
manageNetwork = false;
|
||||||
|
privileged = true;
|
||||||
|
};
|
||||||
|
|
||||||
boot.loader.systemd-boot.enable = true;
|
# Disable /sys/kernel/debug mount which fails in LXC
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
systemd.mounts = [{
|
||||||
|
where = "/sys/kernel/debug";
|
||||||
|
enable = false;
|
||||||
|
}];
|
||||||
|
|
||||||
networking.hostName = "nixos-matrix";
|
services.fstrim.enable = false; # Let Proxmox host handle fstrim
|
||||||
networking.networkmanager.enable = true;
|
networking.firewall.enable = false;
|
||||||
|
services.openssh = {
|
||||||
|
enable = true;
|
||||||
|
openFirewall = true;
|
||||||
|
settings = {
|
||||||
|
PermitRootLogin = "yes";
|
||||||
|
PasswordAuthentication = true;
|
||||||
|
PermitEmptyPasswords = "yes";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
time.timeZone = "America/Los_Angeles";
|
users.users.w0bm = {
|
||||||
|
|
||||||
users.users.tony = {
|
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = ["wheel"];
|
extraGroups = ["wheel"];
|
||||||
};
|
};
|
||||||
|
|
||||||
services.openssh.enable = true;
|
|
||||||
services.nginx.enable = true;
|
|
||||||
|
|
||||||
security.acme = {
|
|
||||||
acceptTerms = true;
|
|
||||||
defaults.email = "your-email@example.com";
|
|
||||||
};
|
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
|
||||||
vim
|
|
||||||
git
|
|
||||||
];
|
|
||||||
|
|
||||||
system.stateVersion = "25.11";
|
system.stateVersion = "25.11";
|
||||||
}
|
}
|
||||||
|
|||||||
54
matrix.nix
54
matrix.nix
@@ -28,7 +28,7 @@ in {
|
|||||||
listeners = [
|
listeners = [
|
||||||
{
|
{
|
||||||
port = 8008;
|
port = 8008;
|
||||||
bind_addresses = ["127.0.0.1"];
|
bind_addresses = ["::1"];
|
||||||
type = "http";
|
type = "http";
|
||||||
tls = false;
|
tls = false;
|
||||||
x_forwarded = true;
|
x_forwarded = true;
|
||||||
@@ -56,6 +56,20 @@ in {
|
|||||||
enable_registration = false;
|
enable_registration = false;
|
||||||
enable_metrics = false;
|
enable_metrics = false;
|
||||||
registration_shared_secret_path = "/var/lib/matrix-synapse/registration_secret";
|
registration_shared_secret_path = "/var/lib/matrix-synapse/registration_secret";
|
||||||
|
|
||||||
|
# Allow others to view the public room list
|
||||||
|
allow_public_rooms_without_auth = true;
|
||||||
|
allow_public_rooms_over_federation = true;
|
||||||
|
|
||||||
|
room_list_publication_rules = [
|
||||||
|
{
|
||||||
|
action = "allow";
|
||||||
|
user_id = "*";
|
||||||
|
room_id = "*";
|
||||||
|
alias = "*";
|
||||||
|
require_admin = true;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
trusted_key_servers = [
|
trusted_key_servers = [
|
||||||
{
|
{
|
||||||
@@ -76,18 +90,48 @@ in {
|
|||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.nginx.enable = true;
|
||||||
|
|
||||||
|
system.activationScripts.generate-matrix-certs = {
|
||||||
|
text = ''
|
||||||
|
mkdir -p /var/lib/matrix-certs
|
||||||
|
# Ensure permissions on the directory itself
|
||||||
|
chown nginx:nginx /var/lib/matrix-certs
|
||||||
|
chmod 750 /var/lib/matrix-certs
|
||||||
|
|
||||||
|
if [ ! -f /var/lib/matrix-certs/matrix.key ]; then
|
||||||
|
${pkgs.openssl}/bin/openssl req -x509 -newkey rsa:4096 -keyout /var/lib/matrix-certs/matrix.key -out /var/lib/matrix-certs/matrix.crt -days 3650 -nodes -subj "/CN=${matrixDomain}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Force permissions on files every time
|
||||||
|
chown nginx:nginx /var/lib/matrix-certs/matrix.*
|
||||||
|
chmod 640 /var/lib/matrix-certs/matrix.key
|
||||||
|
chmod 644 /var/lib/matrix-certs/matrix.crt
|
||||||
|
|
||||||
|
# Ensure log directory exists and is writable
|
||||||
|
mkdir -p /var/log/nginx
|
||||||
|
chown -R nginx:nginx /var/log/nginx
|
||||||
|
chmod 750 /var/log/nginx
|
||||||
|
'';
|
||||||
|
deps = ["users"];
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
services.nginx.virtualHosts.${domain} = {
|
services.nginx.virtualHosts.${domain} = {
|
||||||
enableACME = true;
|
sslCertificate = "/var/lib/matrix-certs/matrix.crt";
|
||||||
|
sslCertificateKey = "/var/lib/matrix-certs/matrix.key";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
|
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
|
||||||
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
|
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts.${matrixDomain} = {
|
services.nginx.virtualHosts.${matrixDomain} = {
|
||||||
enableACME = true;
|
sslCertificate = "/var/lib/matrix-certs/matrix.crt";
|
||||||
|
sslCertificateKey = "/var/lib/matrix-certs/matrix.key";
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://127.0.0.1:8008";
|
proxyPass = "http://[::1]:8008";
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
@@ -97,5 +141,5 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [8448];
|
networking.firewall.allowedTCPPorts = [443];
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user